Royal Melbourne Hospital has been targeted by a hack that has significantly impacted their IT systems, and in turn, the services they can provide to those most in need.

Melbourne Health, the network which runs the hospital, are currently attempting to identify the virus and restore operations. Melbourne Health is one of Victoria’s largest hospital networks and includes a rehabilitation centre and mental health service.

The virus has infected Windows XP computers within Melbourne Health’s Pathology department. Microsoft ceased support and security updates for the obsolete operating system on April 8, 2014. Continuing to run critical services on an unsupported operating system, especially those that directly impact patient health and operations, carries an extreme risk. Without the regular security patches and updates from Microsoft, the operating system becomes a playground for hackers to exploit.

Staff at the pathology department are now manually processing blood, tissue and urine samples instead of leveraging their systems to register, test, record and communicate results. Only urgent pathology specimens are being processed due to delays resulting from the manual workarounds. Staff are being encouraged to use fax to communicate the need for urgent results, while critically abnormal results are being phoned to wards (including intensive care and the emergency ward).

Associate Professor Denise Heinjus, Executive Director Nursing Services and Allied Health sent an email Monday afternoon to staff explaining:

  • Melbourne Health’s IT department is implementing a network-wide solution to the virus and a solution may take some time.
  • The hospital’s food service was working with nurses to ensure that the right meals continue to be delivered to the right patients.
  • Payroll had not been affected by the virus.
  • Through manual work-arounds, staff had been able to minimise disruption to patients so far.

A spokeswoman stated that “patient safety has always been our highest priority and has been maintained… Elective surgeries and outpatient appointments are continuing as normal.

“We are working to fix this issue as quickly as possible. As soon as the virus has been removed, we will investigate how it came to infect Melbourne Health.”

When asked if the virus would jeopardise the safety and privacy of patient’s records, she made no comment. The spokeswoman declined to say when the virus was first detected and how long it was likely to cause problems for. She also would not comment on whether patients and ambulances should avoid the hospital’s emergency department.

As we become more globally connected, the importance of maintaining IT systems increases. This isn’t a new thing, it has been very apparent since we welcomed the internet into our operations. And while it has been traditionally cost-prohibitive to roll-out and support new desktops across an organisation, there are IT as a Service (ITaaS) and Desktop as a Service (DaaS) options that can mitigate the capital investment, removing these barriers. The excuses for not maintaining systems and inadvertently creating high risk IT environments are simply no longer valid.

As much of the health sector relies on block funding that is subject to service delivery capability, it will be interesting to see the true impact this virus has.

To learn more about ITaaS and DaaS, or better understand your risk profile, contact the blueAPACHE Consulting team.